Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AWS IoT Core credential provider requires private key to be sent

0

I was reading through these docs and noticed that the steps to request a security token requires the client to send its private key to credential provider service.

curl --cert your certificate --key your device certificate key pair -H "x-amzn-iot-thingname: your thing name" --cacert AmazonRootCA1.pem https://your endpoint /role-aliases/your role alias/credentials

This is mentioned in these docs: https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html https://aws.amazon.com/blogs/security/how-to-eliminate-the-need-for-hardcoded-aws-credentials-in-devices-by-using-the-aws-iot-credentials-provider/

Looking at it superficially, I would think this is a security flaw and would defeat the purpose of using asymmetric keys in the first place.

Any help to help me understand what is going on is greatly appreciated.

Temas
Internet de las cosas (IoT)Seguridad, identidad y cumplimientoAWS Well-Architected Framework
Etiquetas
AWS IoT CoreInternet de las cosas (IoT)Seguridad del dispositivoSeguridad
Idioma
English
AmuletxHeart
preguntada hace un año460 visualizaciones
1 Respuesta
0
Respuesta aceptada

Hi,

The private key is never sent to the Credential Provider. It is used to establish a mutual (mTLS) connection with the endpoint. That gives Credential Provider the ability to verify the presented X.509 certificates.

AWS
Gavin_A
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante